Post on 13-Jan-2017
Java
Co
mm
un
ity
OAuth2 and Spring SecurityOREST IVASIV
8/14/2015 @halyph
Java
Co
mm
un
ity
OAuth2 Overview
Use Cases◦ Service-to-service
◦ Client-to-Service
◦ Client-to-client (SSO)
Spring Security OAuth2 Samples
8/14/2015 @halyph2
Agenda
Java
Co
mm
un
ity
Dark Age
Pre OAuth 1.0◦ Flickr: “FlickrAuth”
◦ Google: “AuthSub”
◦ Facebook: request signed with MD5 hashes
◦ Yahoo: BBAuth (“Browser-Based Auth”)
OAuth 1.0◦ Uses signature (HMAC hash)
Oauth 2.0◦ Relies on SSL/HTTPS
8/14/2015 @halyph3
OAuth2 History
Java
Co
mm
un
ity
Authentication
Authorization
Federated Authentication
Delegated Authorization
8/14/2015 @halyph4
Terminology
Java
Co
mm
un
ity
Resource Owner - User
Resource Server – API
Client Application – 3d party application
Authorization Server – Auth API (may be in scope of Resource Server)
8/14/2015 @halyph5
OAuth2 Roles
Java
Co
mm
un
ity
◦ Register with Authorization Server (get a client_id and maybe a client_secret)
◦ Do not collect user credentials
◦ Obtain a token (opaque) from Authorization Server◦ On its own behalf - client_credentials
◦ On behalf of a user
◦ Use it to access Resource Server
8/14/2015 @halyph6
Role of Client Application
Java
Co
mm
un
ity
1. Extract token from request and decode it
2. Make access control decision◦ Scope
◦ Audience
◦ User account information (id, roles etc.)
◦ Client information (id, roles etc.)
3. Send 403 (FORBIDDEN) if token not sufficient
8/14/2015 @halyph7
Role of Resource Server
Java
Co
mm
un
ity
1. Compute token content and grant tokens
2. Interface for users to confirm that they authorize the Client to act on their behalf
3. Authenticate users (/authorize)
4. Authenticate clients (/token)
#1 and #4 are covered thoroughly by the spec; #2 and #3 not (for good reasons).
8/14/2015 @halyph8
Role of the Authorization Server
Java
Co
mm
un
ity
Authorization code grant flow
◦ Web-server apps – authorization_code
Implicit grant flow
◦ Browser-based apps – implicit
◦ Mobile apps – implicit
Resource owner password credentials grant flow
◦ Username/password access – password
Client credentials grant flow
◦ Application access – client_credentials
8/14/2015 @halyph9
OAuth 2.0 Grant Flows
Java
Co
mm
un
ity
8/14/2015 @halyph10
Authorization code grant flow
Java
Co
mm
un
ity
8/14/2015 @halyph11
Authorization code grant flow
Java
Co
mm
un
ity
◦ Create a “Log In” link
◦ Link to:
https://facebook.com/dialog/oauth?response_type=code&client_id=YOU
R_CLIENT_ID&redirect_uri=REDIRECT_URI&scope=email
8/14/2015 @halyph12
Authorization code grant flow (Cont)
Java
Co
mm
un
ity
◦ User visits the authorization page
https://facebook.com/dialog/oauth?response_type=code&client_id=28
653682475872&redirect_uri=everydaycity.com&scope=email
◦ On success, user is redirected back to your site with auth code
https://example.com/auth?code=AUTH_CODE_HERE
◦ On error, user is redirected back to your site with error code
https://example.com/auth?error=access_denied
8/14/2015 @halyph13
Authorization code grant flow (Cont)
Java
Co
mm
un
ity
◦ Server exchanges auth code for an access token
POST https://graph.facebook.com/oauth/access_token
Post Body: grant_type=authorization_code&code=CODE_FROM_QUERY_STRING&redirect_uri=REDIRECT_URI &client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET
◦ Your server gets a response like the following
{ "access_token":"RsT5OjbzRn430zqMLgV3Ia","token_type":"bearer","expires_in":3600,"refresh_token":"e1qoXg7Ik2RRua48lXIV"
}
or if there was an error
{ "error":"invalid_request"
}
8/14/2015 @halyph14
Authorization code grant flow (Cont)
Java
Co
mm
un
ity
8/14/2015 @halyph15
Implicit grant flow
Java
Co
mm
un
ity
8/14/2015 @halyph16
Implicit grant flow
Java
Co
mm
un
ity
◦ Create a “Log In” link
◦ Link to:
https://facebook.com/dialog/oauth?response_type=token&client_id=CL
IENT_ID
&redirect_uri=REDIRECT_URI&scope=email
8/14/2015 @halyph17
Implicit grant flow (Cont)
Java
Co
mm
un
ity
◦ User visits the authorization page
https://facebook.com/dialog/oauth?response_type=token&client_id=2
865368247587&redirect_uri=everydaycity.com&scope=email
◦ On success, user is redirected back to your site with the access token in the fragment
https://example.com/auth#token=ACCESS_TOKEN
◦ On error, user is redirected back to your site with error code
https://example.com/auth#error=access_denied
8/14/2015 @halyph18
Implicit grant flow (Cont)
Java
Co
mm
un
ity
8/14/2015 @halyph19
Resource owner password credentials grant flow
Java
Co
mm
un
ity
8/14/2015 @halyph20
Resource owner password credentials grant flow
Java
Co
mm
un
ity
POST https://api.example.com/oauth/token
Post Body:
grant_type=password
&username=USERNAME
&password=PASSWORD
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
Response:
{
"access_token":"RsT5OjbzRn430zqMLgV3Ia",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"e1qoXg7Ik2RRua48lXIV"
}
8/14/2015 @halyph21
Resource owner password credentials grant flow (Cont)
Java
Co
mm
un
ity
8/14/2015 @halyph22
Client credentials grant flow
Java
Co
mm
un
ity
8/14/2015 @halyph23
Client credentials grant flow
Java
Co
mm
un
ity
POST https://api.example.com/1/oauth/token
Post Body:
grant_type=client_credentials
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
Response:
{
"access_token":"RsT5OjbzRn430zqMLgV3Ia",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"e1qoXg7Ik2RRua48lXIV"
}
8/14/2015 @halyph24
Client credentials grant flow (Cont)
Java
Co
mm
un
ity
authorization_code:
◦ Authorization code grant flow (Web-server apps)
◦ response_type=code
implicit:
◦ Implicit grant flow (Mobile and browser-based apps)
◦ response_type=token
password:
◦ Resource owner password credentials grant flow (Username/password access)
client_credentials:
◦ Client credentials grant flow (Application access)
8/14/2015 @halyph25
Grant Types
Java
Co
mm
un
ity
GET https://api.example.com/me
Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia
Access token can be in an HTTP header or a query string parameter
https://api.example.com/me?access_token=RsT5OjbzRn430zqMLgV3Ia
8/14/2015 @halyph26
Accessing Resources
Java
Co
mm
un
ity
POST https://api.example.com/oauth/token
grant_type=refresh_token
&reresh_token=e1qoXg7Ik2RRua48lXIV
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
Your server gets a similar response as the original call to oauth/token with new tokens.
{
"access_token":"RsT5OjbzRn430zqMLgV3Ia",
"expires_in":3600,
"refresh_token":"e1qoXg7Ik2RRua48lXIV"
8/14/2015 @halyph27
New access token via refresh token
Java
Co
mm
un
ity
POST https://api.example.com/oauth/token
grant_type=refresh_token
&reresh_token=e1qoXg7Ik2RRua48lXIV
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
Your server gets a similar response as the original call to oauth/token with new tokens.
{
"access_token":"RsT5OjbzRn430zqMLgV3Ia",
"expires_in":3600,
"refresh_token":"e1qoXg7Ik2RRua48lXIV"
8/14/2015 @halyph28
New access token via refresh token
Java
Co
mm
un
ity
1. Sample OAuth2 with password grant
2. Web App Client
8/14/2015 @halyph29
Sample Apps
Java
Co
mm
un
ity
OAuth◦ The OAuth 2.0 Authorization Framwork
◦ http://oauth.net/2/
◦ OAuth Bible by @Nijikokun
◦ An Introduction to OAuth 2 by Aaron Parecki
◦ Single-Page-Application & REST security by Igor Bossenko
Videos◦ O'Reilly Webcast: An Introduction to OAuth 2 by Aaron Parecki
◦ David Syer (lead of Spring Security OAuth)◦ Security for Microservices with Spring and OAuth2
◦ Webinar Replay: A Single-Page Application with Spring Security and Angular JS
◦ Data Modelling and Identity Management with OAuth2
◦ Les Hazlewood (Stormpath founder and CTO, Apache Shiro)◦ Token Authentication for Java Applications
Sample Apps◦ https://github.com/spring-projects/spring-security-oauth/tree/master/tests/
◦ https://github.com/spring-projects/spring-security-oauth/tree/master/samples/oauth2
◦ https://github.com/dsyer/spring-security-angular/
OAuth and Spring◦ https://speakerdeck.com/dsyer/security-for-microservices-with-spring
8/14/2015 @halyph30
References
Java
Co
mm
un
ity
Q&A
8/14/2015 @halyph31